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The conversation starts here. 


Turning Security InsideOut 


BY KEVIN WERBACH 


No matter how poor the security mechanisms a company has in place, 
no onecares until something bad happens. No matter how good the 
security, it’s a failure as soon asa breach occurs. And breaches are 
inevitable. The basic mechanisms to secure commercial activity on the 
Internet are widely deployed, and billions of dollars are spent every 
year on more sophisticated and esoteric solutions to prevent various 
kinds of attacks. Still, hardly a week goes by without the discovery of a 
security holein a popular application, a defaced Website or a publi- 
cized intrusion at a major corporation. (And thereare plenty more 
that no one hears about.) 


Asmore activity passes over the Interne and private Internet protocol 
(IP) networks, the importance of security will increase. Yet traditional 
network security concepts - firewalls, encrypted communications and 
intrusion detection - tend to rely on static, simplistic notions of access- 
blocking inappropriate for today’s dynamic, interconnected world. The 
reality is that both security threats and security protection are complex 
phenomena. And they are ultimately business questions rather than 
puretechnology challenges. Internet security tools and services should 
seek to disappear into the larger realms of corporate strategy, business 
policies and risk management. 


Onlinesecurity breaches result from two fundamental properties of 
the Internet: its complexity and its openness. You can’t havethe 
Internet without those two characteristics, and you can’t have per- 
fect security with them. Thereare simply too many moving parts, 
dependent on too many layers of software with poorly understood 
interactions, managed by too many different organizations, with 
{continued on page2 } 
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too many points of interconnection and access and too many actors. 
Moreover, the Internet was developed to allow systems that may not 
know or trust one another to interconnect and share data. Putting 
up aWebsiteis tantamount to offering a window into your internal 
network. Even if that window is well-secured, it’s a risk. “The net- 
work needs to be open and closed at the same time,” says 
TrustWorks founder and chairman Alexander Galitsky (see pace 8). 


From Locks to Police Departments 


Security blankets 

There are many solutions on the market for the common security 
risks on the Internet. A survey of some of the major product cate- 
gories includes: 


e Public Key Infrastructure (PKI) solutions using digital certifi- 
cates (SEE RELEASE 1.0, FEBRUARY 1998) and other tools from com- 
panies such as VeriSign, Baltimore Technologies and Entrust are 
widely deployed to verify online identities and to secure trans- 
actionsin enterprise and B2B contexts. 

e Firewalls from Checkpoint and others filter packets at network 
boundaries to prevent unauthorized or malicious traffic from 
passing into protected networks. 

e Virusscannerscontinue their arms race against virus writers. 

e Theunsung secure sockets layer (SSL) has allowed e-commerce 
to flourish and made theft of credit-card or other data in transit 
ararity. 

e For problems SSL does not address, such as fraud and authenti- 
cation, vendors have developed increasingly sophisticated 
SPONSES. (SEE CREDIVIEW IN RELEASE 1.0, OCTOBER 2000). 

e Virtual private networks (VPNs), which allow secure communi- 
cations tunneled through the public Internet, are booming. 


Yet these tools solve only alimited subset of problems. Encryption 
can prevent an outsider from listening in on acommunication in 
transit, but that still leaves the information vulnerable at either end. 
Not to mention that users must select and guard appropriate pass- 
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words and administrators must configure systems properly. Similarly, firewalls block 
packets that don’t fit specified profiles, but if not configured properly they can leave 
open opportunities for attacks. And firewalls do nothing to stop malicious users who 
have comein through another point on the network or are already behind the fire 
wall as an employee or otherwise. 


Putting people first 

Part of the problem is that established security technologies concentrate on whether 
someoneis able to gain access to a protected network or resource. Thisis an impor- 
tant question, but it produces answers with low granularity. In the chaotic environ- 
ment of the Internet, there is simply too much noise to separate the good guys from 
the bad guys reliably on this basis. A more useful piece of information is who is 
engaging in the relevant behavior; more valuable still is some sense of why the activi- 
ty is taking place. 


H ere we approach the realm of psychology, which seems about as far as one can go 
from the hard-edged technical world of computer security. Yet state of mind is criti- 
cal. A heavy stream of packets doesn’t know whether it’s a denial of service attack 
(see pace 13) or streaming audio from the Superbowl ... but the person sending 
those packets does. An employee requesting information from a database may be 
performing legitimate job functions or corporate espionage. Rigid rule-based secu- 
rity techniques aren’t geared to understand the context that differentiates legitimate 
from malicious activities. They emphasize the machinein the middle rather than the 
humans on both sides: those responsible for keeping that machine secure, and those 
seeking to break in. 


These points are not news to security experts. It is widely acknowledged in the secu- 
rity community that the biggest challenges involve humans rather than technology, 
that thereis no magic bullet solution to security risks and that holistic approaches 
and greater education are the best hope. 


Unfortunately, this recognition has hardly penetrated the ranks of business execu- 
tives. Security isthe ultimate case of technology to mitigate downside rather than to 
create upside. If a firewall works perfectly, it has an apparent ROI of zero. Of course, 
the alternative possibilities are much worse, and fear can be an effective motivator of 
IT spending. Scaring customers into deploying security solutions works only to a 
point, especially in periods of economic slowdown. 
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The leading edge of 
onlinesecurity ismoving 
in the same direction as 
e-business: toward more 
distributed, dynamic, 
policy-based systems 
that separate higher-level 
application logic from 
underlying communica- 


tions and data processing. 
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A better approach would be to tie security more closely to ongoing 
business processes and strategies. As it turns out, the leading edge of 
online security is moving in the same direction as e-business: 
toward more distributed, dynamic, policy-based systems that sepa- 
rate higher-level application logic from underlying communica- 
tions and data processing. 


In this issue, we discuss three broad developments indicative of this 
larger trend. First, the emergence of vendors who treat security asa 
service rather than a product, recognizing that no technology can 
eliminate all security threats. Second, a collection of companies that 
tie security more closely to business rules and policies. Third, 
responses to a particularly pernicious threat, denial of service 
attacks, that turn the problem from asecurity concern into an 
Opportunity to improve Internet reliability and service quality. 


Security is relative 

It's easy to fall into physical metaphors when discussing digital secu- 
rity. The goal is to keep intruders and viruses out, or to prevent 
eavesdropping on conversations. Asis often the case, though, physi- 
cal models don’t translate well into the virtual world. In a network 
of networks, nothing is entirely inside or outside. As businesses tie 
themselves together through extranets and integrated supply 
chains, the distinction between insiders and outsiders becomes 
fuzzy. Completely cutting off a network is simply not an option. 


Recent events such as the theft of credit-card data from the World 
Economic Forum and the denial-of- service attacks that shut down 
M icrosoft’s Website in January keep security threats on the radar 
screen of executives and technologists. There are now hundreds of 
security product and services companies, from startups to large 
integrated vendors such as Network Associates, Internet Security 
Systems, VeriSign and Symantec, as well as powerful specialized 
players such as Checkpoint. The usual market research firms throw 
around the usual multi-billion-dollar numbers for the size of the 
market today and in three to five years. Yet for all the money and 
effort going into security, the attacks keep happening. 
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The fact is, there will never bea perfect security solution. As Bruce Schneier of 
Counterpane Internet Security (see pace 6) argues, “the Internet is too complex to 
secure.” Even asimple network or Website has a myriad of software applications, 
hardware devices and other vulnerable components. In most cases, best practices or 
patches to known security holes are readily available but not uniformly implement- 
ed. Some security risks arise only through the combination of two or more elements 
that are secure individually. Employees may select easily guessable passwords or 
compromise networks with unauthorized dial-up modems for remote access. Or as 
in the case of denial of service attacks (see pace 12), the attacker may betrying to 
bring down the site rather than compromise it. 


Given all these factors, the first step toward more effective network security is to stop 
thinkingin absolute terms. A system is not secure or insecure; it is less or more wall- 
protected against specific kinds of threats. Prevention remains essential, but it must 
be coupled with monitoring and response capabilities to deal with the inevitable 
cases where protection fails. 


Beyond this, security in a distributed, networked world must itself be distributed. 
Local point solutions go only so far, and can easily create overwhelming deployment 
and management challenges. Things change quickly, with users moving around with 
laptops and wireless devices, and partnerships or acquisitions changing corporate 
relationships constantly. 


The rise of managed security 

The weak link in the security chain is almost always not technology, it’s people. 
Cryptography may have beautiful and sophisticated mathematical algorithms, but 
those techniques only go so far. If your company buys a powerful firewall or intru- 
sion detection system for its network, how do you determine whether a suspicious 
event is actually an attack? That requires skilled security professionals, and such peo- 
ple are inevitably hard to find. M oreover, the large number of different security 
products and vendors can cause installation headaches, incompatibilities or even 
new security risks as businesses lose track of what they do and don’t have covered. 


It may seem strange to think about outsourcing security, given the potential fear fac- 
tor among companies and the limited success many application service providers 
(ASPs) have had convincing companies to let them host important services. 
Perversely, though, because security is so important and such a source of risk, it’s 
something companies may be more willing to outsource. Security is almost never a 
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core competency of a business; it’s something you do to manage risk rather than to 
create opportunities. Given this, outsourcing security to someone who concentrates 
on it makes sense. 


Recognizing this, a plethora of companies have jumped into the managed Internet 
security space over the past year, including Counterpane, OneSecure, Vigilinx, | SS, 
RI PTech, Guardent, SecureWorks and Para-Protect. M any of these started as con- 
sulting firms and have added monitoring to their traditional roles developing and 
deploying security architectures. Others sell traditional security equipment such as 
firewalls but handle the configuration and intrusion detection remotely. Others 
employ rapid-response teams to take action in the event of an apparent intrusion. 


Counterpane 

Counterpane was among the first companies to aggressively take the services 

approach, led by its founder and cto Bruce Schneier (see RELEASE 1.0, MARCH 2000). 

Counterpane Systems, Schneier’s original company, was a consulting firm that 

developed and audited security architectures for corporations. But Schneier came to 
realize that such solutions didn’t address the root problem, and 


COUNTERPANE INFO 


sometimes made the situation worse by concentrating attention on 


Headquarters: San Jose, CA 


Founded: 1999 


Employees: undisclosed 


the impossible goal of threat prevention. So alittle over a year ago 
he formed Counterpane Internet Security to offer security detection 
and response, sold as a hosted service. The old Counterpane Systems 


Funding: $58 million from Accel becametheR&D arm of thenew company. 
Partners, Bessemer Venture 
Partners, Goldman Sachs, Morgan Counterpane takes the concept of security as a service farther than 
taney Dean Witter Ameringo most of its competitors. Counterpane has built a network of secure 


Investment Advisors, ClearLight 
Partners, Dell and Deutsche Bank 


URL: www.counterpane.com 


24x7 operations centers staffed with trained security analysts who 
monitor for evidence of suspicious activity and can take appropriate 
action to investigate or escalate according to pre-defined proce 
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dures. Beyond wrapping management functions such as configura- 
tion and remote monitoring around existing products, Counterpane hopes to shift 
the security mindset away from products all together. 


The product-oriented security mentality, Schneier argues, dovetails with the natural 
tendency of mathematicians and technologists to look for concrete solutions to 
security threats. This leads companies to focus on preventative measures to the 
exclusion of detection and response mechanisms, which come into play when the 
prophylactic approaches fail. Schneier advocates the opposite viewpoint: “Detection 
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and responseisnot only more cost-effective than protection; if done right it’s also 
the most effective approach.” Network security is no different from physical security, 
Schneier argues. To prevent burglaries we lock the doors and windows, train a dog 
and let the neighbors know we'll be away. But beyond these steps, we rely on out- 
sourced monitoring and response by security guards and the police. 


For Schneier, security is ultimately not about prevention but about risk manage- 
ment. And, he continues, “Risk is good. If | can manage my risk better than you I’m 
going to do better.” Companies with large international operations engage in deriva- 
tives trading to hedge risks of currency fluctuations. Though the initial motivation 
of the activity, as with security, isto prevent a loss, risk-management is a tool that 
companies can use to create competitive advantage. An online retailer might decide 
to ignore most security breaches or fraud during the holiday season because the 
costs of taking its site down for even a short time or of alienating real customers are 
too great. On the other end of a spectrum, a law firm might decide to cut off access 
at the first sign of an intrusion. In between these extremes lies a broad spectrum of 
gray, along which companies can take positions. 


Taking this mode! to its logical conclusion, in July Counterpane announced an 
agreement with Lloyds of London to offer security insurance to its customers. The 
computer-science mentality would challenge the viability of insurance as a means of 
dealing with security risks by pointing out that risk levels are difficult to quantify. 
Schneier’s response is that, as in the real world, insurers simply use their expertise to 
take an educated guess. The point is that the risk is shifted onto a party best able to 
evaluate it, minimize it through the services of Counterpane and its competitors, 
pool it with other risks and deal with it efficiently. 


Security as Policy: The New Frontier 


The boundaries of security depend on business policies and practices. Whether my 
company wants me to have access to a document or sees meas an intruder may 
depend on my job title, the project I'm currently working on, even thetime of day. 
A string of input to an ecommerce Website may be a malicious hack designed to 
gain access to private customer information, or it may bean order from alegitimate 
customer. An email message stored in an Outlook folder may be perfectly harmless 
or it may bethe smoking gun that results in huge damages against a company in a 
lawsuit... or it may contain a damaging virus. 
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Some of these distinctions don't involve security risks under the normal definition 
of theterm. But all of them reflect the difference between what a computer “knows” 
and what a business “wants.” You may know what the corporate policy is or the pur- 
pose of apageon your Website, but the machines only know only how to follow 
instructions, and those instructions generally operate at a much lower level. 


The three companies described below all address different aspects of this problem. 
TrustWorks allows security policies to beimplemented dynamically and compre- 
hensively throughout a network, with high granularity. Sanctum adds a layer of 
intelligence to Web-based applications, making it difficult to use those applications 
to breach network security. Disappearing Inc. gives teeth to email retention policies 
by allowing users to send messages whose contents automatically become unread- 
able after a period of time. 


TrustWorks 

As a company based in the Netherlands, founded by a Russian formerly with the 

Soviet space program and trying to sell into a market largely dominated by 

Americans, TrustWorks knows something about crossing boundaries. The company 
has developed a distributed security architecture based on a central- 


FHI NOBKETIRG ized management system that employs software agents on gateways, 


servers and client machines throughout a corporate network. 
Headquarters: Amsterdam 
Founded: 1998 


riniplaveest108 Much like the quality of service (QOS) solutions from Orchestream 


Funding: $22 million from UBS AG, and IP Highway we covered in the past (see RELEASE 1.0, JUNE 1998), 
Brunswick Warburg, Griffin Capital, TrustWorks offers a central management console where security 
GMO Trust, Fenway Service, FIM, policies can be defined according to business logic. Those policies 
pene Advisors, Rracebridgeand are automatically pushed out to the agents, eliminating the need to 


individuals 


manage and update each firewall or other security element individ- 
ually as a business's structure, activities or people change. 


URL: www.trustworks.com 
Disclosure: Esther Dyson is an investor 


in and director of TrustWorks 


The result is something similar to the human immune system (an 


analogy Galitsky credits to Esther Dyson). The trusted agents float 
throughout the system like immune cells, but they are also subject to the direction of 
central immune system mechanisms when responses must be coordinated or 
changed. From one side everything appears distributed and autonomous, but it also 
acts as one organism. 
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Galitsky compares the traditional model based on local firewalls to putting a gate up 
outside your building. Once you get beyond the guard at the gate, everything is 
trusted. Yet from branch offices to laptop-wielding salespeople to partner extranets, 
companies are increasingly becoming decentralized. With businesses increasingly 
interconnected though, giving carte blanche to everyone inside the firewall doesn’t 
make sense. “You need to support how your business happens,” he explains. “If your 
business is distributed, you need to have security that is too.” 


Security mechanisms embedded in TrustWorks’ agents cover the major security cat- 
egories such as PKI, firewalls, virtual private networks and single sign-on, relying on 
the end-to-end security model of IPSec (see RELEASE 1.0, may 1999). T he company can 
also integrate with or manage solutions from other vendors such as Checkpoint or 
Cisco as needed. 


Rather than defining security policies in terms of traditional technical rules, 
TrustWorks takes a more relational approach. “We create a description of the rela- 
tionship between boxes, applications and people who connect to them,” says 
Galitsky. For example, salespeople might need access to the mail server from outside 
the firewall because they travel frequently for business, but others in a company 
might not. From these business- oriented policies TrustWorks generates security 
configurations to manage certificates, tokens or other mechanisms that can provide 
fine-grained authentication, authorization, filtering and encryption at the user level. 


One big advantage of this approach, says Galitsky, is flexibility. “Policies need to be 
dynamically changed, and sometimes the enforcement agent components that exe- 
cute those policies need to be dynamically changed too,” he explains. For example, 
access rights may depend on departmental or project team boundaries. A security 
administrator might want to change encryption algorithms for security, business or 
regulatory reasons. A new application may require additional proxy filtering. 


Galitsky says one area where TrustWorks is getting particular traction is for users 
who areeither mobile or areon intermittent dial-up connections. With traditional 
security solutions, a branch office connected over an ISDN lineisn’t automatically 
connected to a company’s central security infrastructure. With TrustWorks' solution, 
Galitsky says, “when you dial into the network you dynamically get [new instruc- 
tions] which update the policy in your computer.” 
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Sanctum 

The idea of application-level security takes some getting used to. A Web application 
runs on a Web server, which is typically protected by a firewall and other security 
mechanisms. Users must enter passwords to gain access to certain functions on 
Websites, sites routinely use digital certificates to verify authority, and the connec- 
tions over which sensitive information passes are generally encrypted with SSL. So 
what else is left? 


Plenty, it turns out. Web applications are among the most vulnera- 


eee ble elements of Internet infrastructure. “The hackers have found out 


ee eee in no uncertain terms that this is the easiest place to hack in to the 
hepa system, because most of the applications out there are not being 


mployees: 90 
sks built by security experts, they are built by engineers under pressure 


Funding: $24 million from Goldman 


Sachs, Intel, Sequoia Capital, to get them to market quickly,” explains Sanctum ceo Peggy Weigle. 

Walden Capital, TiMark and the Sanctum has audited morethan sixty companies and in virtually 

Sprout Group every case it has been able to breach sensitive systems in two hours 
URE: wwwganctumine.cam or less by hacking Web applications. 


“An unprotected web application is like a portal into the back-end 
systems,” says Weigle. For example, many Web applications can be fooled by manip- 
ulating URLs to send queries directly to a back-end database. Adding a wild-card 
character may deliver proprietary customer information, and changing a hidden 
field may allow prices to be changed. Unprotected directories may provide access to 
source code or other private information. 


Sanctum was founded in 1997 by Israeli army veteran Gil Raanan. It now offers two 
products to address application-level vulnerabilities, AppShield and AppScan. 
AppShield monitors applications as they run to foil attacks. It doesn’t rely on a set of 
static rules, because such an approach wouldn't be able to keep up with the variety of 
Web applications and attacks. Instead, it analyzes every Web page that is part of an 
application as itis served up to the user. 


Asan example, an online banking application might include a form to enter a user- 
name and password, along with a menu item to transfer money between accounts. 
Before the page is sent to the user, AppShield identifies the types of activities the 
page was designed to accommodate and stores that information. When the user sub- 
mits a response, the software checks to see that it corresponds to the policies of the 
page (and isn’t, for example, filled with extra data designed to create a “buffer over- 
flow” condition). 
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Thecompany also offers AppScan, which developers can use to audit Web applica- 
tions before they go into production. It automatically checks for common applica- 
tion-level security problems and suggests fixes. AppShield costs $15,000 per server, 
whileAppScan, which includes access to an updated knowledgebase of security 
holes, uses a subscription model. AppScan pricing starts at $20,000 per user per year 
for end-users, while auditors and consultants pay between $10,000 and $70,000 per 
year depending on the length of the contract and the number of audits. 


Disappearing Inc. 

Encryption solutions such as pretty good privacy (PGP) protect email in transit 
between two users against eavesdroppers. But what happens when the email is sub- 
poenaed in a lawsuit? Even if the contents are password- protected, users must give 
up the password. As companies such as M icrosoft have discovered in recent years, 
internal email can bean extremely damaging form of evidence in litigation. 


To cope with liability risks, most large corporations now have email 


retention policies specifying that old messages be deleted and 
removed from backup archives after a specified period. O ne small 
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Headquarters: San Francisco, CA 


problem: these policies are never followed. Users either ignorethem 
Founded: 1998 


because going through old email istoo cumbersome, or they store eee 


copies of their messages locally so they are preserved despite dele- Funding: $20.5 million from Kleiner 
tion of old files on the server. M oreover, because email is a store- Perkins, Red Rock Ventures, Angel 
and- forward application, copies on intermediate servers may persist Investors, Ben Rosen and ex- 
even if both parties delete a message. Says M aclen M arvit, co- Netscape cto Eric Hahn 
founder and cto of Disappearing Inc., “If | send you an email, and a ene neon 


we each delete our copies, there are lots of copies left over.” 


M arvit, who worked for NASA before starting Disappearing, Inc., has a theory for 
why existing solutions don’t address the email retention problem: “M ost security 
essentially emerged out of warfare. And in a warfare environment, information is 
regarded most of the time as an asset. Why would you ever want to get rid of infor- 
mation? In the legal environment, there are times when someinformation might be 
a liability. The idea that you might want to get rid of something is a whole new way 
of thinking about security.” 


With the Disappearing Inc. solution, emails “disappear” after a specified interval. (To 


put it more precisely, they become unreadable.) All messages are automatically 
encrypted with a unique key. Every time the receiver opens the message, he or she is 
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actually decrypting it on the fly. At the specified time the system deletes the key, 
meaning that all copies of the message, even those cached or stored on an intermedi- 
ate email server, become unreadable without breaking the encryption. Disappearing 
Inc. offers a plug-in to M icrosoft Outlook that makes sending a disappearing email a 
one-click affair. Users outside the company can still read the message (and have it 
disappear) because the message appears as H TM L with the contents decrypted on 
each viewing. 


Of course, both parties to the message must want it to disappear. There is no way to 
stop someone (especially someone who knows that the message will otherwise “dis- 
appear“) from cutting and pasting text into another application or taking a photo- 
graph of the screen while the message is open. Disappearing Inc. addresses the more 
subtle but important problem that occurs when the sender and recipient (or their 
company) want messages to go away after a period of time, but that doesn’t happen. 
As noted earlier, this isn’t really a security problem, it’s a matter of using techniques 
derived from information security to implement a business policy. In the future, 
Disappearing Inc. will support other email management functions such as “unsend- 
ing” and limiting message forwarding, in addition to automatic disappearance. 


In November, Disappearing Inc. brought in Mike Burkland, formerly ceo of Web 
content- management vendor Eventus, as ceo. The company recently announced a 
strategic alliance with Ernst & Young, which will resell the technology and fund 
development of a Lotus N otes version. 


Denial of Service 


Denial of service (DOS) attacks turn the! nternet’s size and openness into a liability. 
A DOSattack doesn’t give the attacker access to a Website; it simply makes that 
Website difficult or impossible for others to reach and use. DOS attacks work by 
flooding Web servers or other network nodes with traffic, overwhelming their ability 
to respond. (The most common form is sometimes referred to asa SYN flood attack, 
because the attacker sends huge volumes of packets with the SYN, or synchroniza- 
tion, message to overload system queues.) 


Such attacks are especially pernicious when launched simultaneously from many 


different points on the network, in what is known asa distributed denial of service 
(DDOS) attack. DDOS instigators often first break into other companies or service 
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providers and use those networks servers as the launching points for their actions, 
frequently using spoofed IP addresses to make detection difficult. Because traffic on 
the Internet often hops across many backbone SPs, back-tracking the bogus packets 
to the source can be cumbersome or even impossible. 


A sufficiently concentrated DD OS attack can make a popular site virtually unreach- 
able. In February 2000, such attacks brought down some of the Internet's most pop- 
ular sites, including Yahoo!, CNN and Amazon.com. In late] anuary of this year, 
most of M icrosoft’s Websites were rendered inaccessible by DOS attacks on the com- 
pany’s domain nameservers. 


Theincreasing sophistication of the attacks, encompassing not just Web servers but 
other infrastructure elements, is a particular cause for concern. Software tools that 
let relatively unsophisticated users launch DOS attacks are readily available. M any 
DOS attacks are not even recognized as such, being mis-identified as network con- 
gestion. As Counterpane's Schneier notes, “Denial of service attacks are very difficult 
to differentiate from success .” Live online events such as the Victoria’s Secret fashion 
show also create large volumes of traffic directed at a single site, the only difference 
being the intentions of those sending the packets. 


Thereisno perfect way to stop DDOS attacks, because identifying, back-tracking 
and responding to all the sources of the attack inevitably requires sometime, and 
because ISPs are reluctant to share sensitive traffic data. A DDOS attack directly 
affects a single Website, but the response depends upon many ISPs filtering the 
bogus traffic at many points on their networks, dispersing the economic incentives 
for asolution. 


Thesignificance of the DDOS threat has not gone unnoticed. In recent months, no 
fewer than three startups have announced significant funding and launched service 
offerings to address DOS. All of them offer similar basic architectures, derived from 
academic work at MIT (M azu), the University of Washington (Asta) and the 
University of Michigan (Arbor). In each case, the solution is to deploy secure probe 
devices in ISP networks that monitor network traffic passing through routers. 


The anti-D OS services use proprietary algorithms to identify suspicious traffic. A 
surge in usage over a certain route might be a popular streaming video or a heavy 
round of online stock trading, for example. Once they have identified suspicious 

activity, the anti- DOS tools trace it back to sites or peering points on an |SP’s net- 
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work, allowing network operators to take countermeasures such as filtering or throt- 
tling back packet flows over those specific connections. 


Arbor and Asta analyze sample packets passed through the router’s network-man- 
agement plane rather than sitting directly in the data path, which they argue net- 
work operators will not tolerate for performance and security reasons. M azu 
employs a similar approach initially, but believes its technology will eventually 
manipulate packets directly either in a standalone box or asa component of an 
established platform. 


All of the companies see DOS mitigation as only thefirst in aline of offeringsin a 
space most of them call “Internet availability management.” By deploying monitor- 
ing devices through ISP networks, these companies hope to gain a more rich, holistic 
view of Internet traffic patterns. Because the Internet is a network of networks 
designed for “best- efforts” service, guaranteeing a level of performance, especially 
when traffic passes more than one backbone, remains a difficult problem to this day, 
despite the presence of policy-based routing and management solutions from com- 
panies such as Orchestream and IP Highway. 


DOS prevention may bean important incentive motivating companies and network 
operators to deploy distributed monitoring and processing devices that provide a 
more holistic view of the network. Microsoft's decision to engageAkamai (see 
RELEASE 1.0, DECEMBER 1999) to distribute its DN S servers in the wake of last month’s 
DOSattack is evidence in this direction. 


Arbor Networks 
Arbor Networks has been testing its DOS solution for the past five months with 
M erit Networks, a regional backbone in M ichigan, and other undisclosed potential 


ARBOR NETWORKS INFO 


Headquarters: Ann Arbor, MI and 
Waltham, MA 

Founded: August 2000 
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URL: www.arbornetworks.com 
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customers. Earlier this month it launched publicly and announced a 
strategic relationship and investment from Cisco. 


Arbor chief scientist Farnam Jahanian, a former computer science 
professor at the University of Michigan, was director of the Software 
Systems Lab, which did early research on Internet traffic patterns 
and routing behavior on Internet backbones in the mid-1990s. 
Chief strategist Ted Julian was at security consulting firm @Stake 
and before that was the lead security analyst at Forrester Research. 
Thethird co-founder, cto Rob M alan, developed the basis for 
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Arbor’s approach in his PhD thesis at M ichigan, and then spent time at IBM and HP 
before starting Arbor. 


The company offers a managed service to network operators, who will install the 
technology on their own networks and resell it as a value-added service to corporate 
customers. Arbor will also sell directly to large or self- hosted companies, but for the 
most part it hopes to use service providers such as backbone operators and hosting 
firms asa channel and support arm. 


Julian says the key to success in the anti-D OS area will bea solution scalable and reli- 
able enough to meet the demands of major networks. For example, monitoring 
devices cannot sit in the network path and sniff packets, because that would impose 
unacceptable overhead on high-speed pipes. “No service provider is going to re 
architect their network just to make denial of service go away,” says Julian. Working 
with different kinds of equipment will also be important, he stresses. Arbor initially 
supports Cisco and Juniper routers, and also offers a generic gigabit Ethernet probe, 
with support for other boxes planned. 


Jahanian’s academic work at Michigan, funded by DARPA, Cisco and Intel, exam- 
ined causes of instability and traffic anomalies on Internet backbones, including 
inefficient use of peering points and deliberate attacks. H e concluded that any solu- 
tion to the latter problem would have to be distributed through core networks rather 
than limited to the edge, or it would fail to provide effective coverage. The technolo- 
gy that Arbor Networks eventually developed uses instrumentation at key locations 
on the network, such as peering points, so that there is enough data to identify emer- 
gent patterns without having to instrument every router on the network. 


Arbor’s boxes, which are secure physical appliances running a modified version of 
the OpenBSD operating system, first establish baseline traffic patterns in the net- 
work zones they monitor. When an anomaly occurs, the device first checks a data- 
base of known DOS attack patterns, and then applies various algorithms to 
distinguish malicious traffic from false positives. For example, a stream of IP 
addresses all separated by the same value would suggest source- address spoofing, a 
possible tip-off of an attack. The monitoring devices create a description of the sus- 
picious activity, which Arbor calls a “fingerprint,” and send it to their compatriots 
elsewhere on the network, which allows Arbor to determine how widespread a phe 
nomenon is and where it might be coming from. Finally, Arbor recommends filters 
that network operators can apply (or modify) to combat the attack as close to the 
source as possible. 
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Network engineers today track and filter DOS attacks manually, but doing so is 
time-consuming and expensive. In addition to the cost and delay, says ahanian, this 
means “attacks that last 10 to 15 minutes are often not detected at all.” Arbor’s solu- 
tion, he says, “allows a network operator to get his or her arms around the volume of 
information going through their network, and focus their attention on the most 
likely places that the attack is coming from.” 


ISPs can freely share the fingerprints with other networks to coordinate responses 
to DDOS attacks without compromising confidentiality, because the fingerprint 
doesn’t reveal anything about network topology or customers. Arbor hopes its solu- 
tion will make coordinated DDOS responses more likely, but recognizes it will take 
time for suspicious competitors to buy into the concept. So although the service 
supports fingerprint sharing, it doesn’t requireit. “It was critical for usto develop a 
solution through which a provider could provide protection for its customers, even 
if other providers didn’t cooperate,” Jahanian explains. 


When the company launches commercial service in the second quarter, Julian says, 
end-user customers can expect to pay monthly subscription fees in the thousands of 
dollars per month, comparable to those of other managed network services. 


Asta Networks 

Joe Devich, who joined Asta Networks last month as ceo after a stint at digital sub- 
scriber line (DSL) wholesaler Covad, sees a broad market opportunity for his new 
company. “I really view it as a reliability problem more than a security problem,” he 
says. “Our mission is ensuring that the Internet is reliable for businesses.” 


“If you open your mailbox at home and you pull out the mail, you 
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can tell which is junk mail and which isnot by looking at it,” notes 
Devich, drawing an analogy to the traffic characteristics that Asta 
picks up on with its algorithms for identifying DOS attack traffic. 
Thereal value of the solution, Devich says, will arise when traffic 
can be tracked across different networks, but filtering at any point 
on any network can still significantly reduce the impact of DOS 
attacks on ISP customers. 


Asta’s devices are deployed today on the! nternet2 research back- 
bone, and is also in testing at Exodus. In late December, Asta 


announced it had successfully detected and responded to DOS attacks traversing the 
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Internet2 backbone, which it called the first example of automated DOS protection 
in thefield. The company has designed its solution to support incremental deploy- 
ment and to scale from T1 (1.5M bps) to OC-48 (2.5 Gbps) and faster line rates. 


When pressed to differentiate Asta from its competitors, Devich emphasizes the 
strength of the company’s management team and investors. Asta’s co-founder and 
CTO, Tom Anderson, was previously a professor and researcher in distributed sys- 
tems and network reliability at the University of Washington as well as at Berkeley 
(where he was involved with the clustering project later soun out as the basis of 
Inktomi). Chief architect David Wetherall, also from the University of Washington, 
was a pioneer in the development of so-called active networks, and chief scientist 
Stefan Savage developed the basics of Asta’s approach in his Washington PhD thesis. 
The company’s board includes Inktomi co-founder Eric Brewer and former M SN vp 
Laura Jennings. 


Devich emphasizes that D OS detection and pattern recognition are the foundation 
for other services Asta plans to develop. H esingles out prioritization of Internet traf- 
fic, in order to support differentiated pricing and service classes, as one example. “If 
you think of the way networks are managed, it’s analogous to the telephone environ- 
ment when we had a manual switchboard,” Devich says. Addressing any network- 
scale problem, from DOS to QOS, requires extensive manual coordination and 
router configuration. Like its competitors, Asta hopes to use DOS as afirst step to 
deploy automated monitoring and configuration tools that can be scaled up and 
extended to other uses. 


Mazu Networks 
M azu Networks began with a high-performance packet- analysis 
technology in search of a real-world application. Cto M ax Poletto 


and chief scientist Eddie Kohler developed the technology at M IT 
and linked up with Paul H siao and Sulu M amdani, who were across 
the river at H arvard Business School. The four developed a business 
plan around combating DOS attacks. They took second place in last 
year’s MIT $50K entrepreneurship competition, which led to ven- 
ture financing and the hiring of Phil London, previously vp of engi- 
neering at Trilogy and PCOrder, as ceo. M azu has been field-testing 
its service since December and now has nine potential customers 
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evaluating its solution, including corporations, network operators and hosting 


providers. 
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UnlikeAsta and Arbor, which query routers for data to analyze, M azu examines 
packets directly. The first component of its solution isa monitoring device that sits 
at the core of a network, connected to the data path via a passive optical splitter. 
Detection and analysis occur in real-time, though without affecting the flow of data 
over the wire. “Only by examining the entire packet with this type of fine grained 
analysis can you quickly respond to more sophisticated attacks from multiple 
sources,” says London. A companion product sits on the edge of a potential DOS 
victim’s network, where it can dynamically filter traffic by sitting in the data path. 
Thetwo products coordinate with M azu’s back-end control center. 


M azu uses two kinds of analysis. Common forms of malicious traffic can be identi- 
fied based on signatures of typical DOS attacks, but this approach goes only so far. 
M azu also stores data about actual traffic patterns over the network segment that its 
devices monitor, and watches those patterns fluctuate over time to determine base- 
lines and identify anomalies. “Although thereisno such thing as typical traffic 
Internet-wide, for any given path there is a statistical norm that can be determined,” 
says London. 


Over the past year, prospective customers M azu has spoken with have seen the pat- 
tern of DOS attacks change. The devastating attacks on major Websites that 
occurred last February have all but disappeared. In their place, DOS attacks have 
become more focused. Smaller attacks on specific portions of sites or company 
infrastructure, which often have less bandwidth dedicated to them or less redundan- 
cy, have become the norm. “What they are looking for is pinch points in the net- 
work,” explains London. 


London acknowledges D OS- prevention companies will have to convince the market 
of the value of their offerings. “Clearly the source of revenue in this market isthe 
victims,” he points out, yet the solutions must be deployed across backbones rather 
than just on individual company networks. The technology-savvy companies who 
can best appreciate the solution M azu provides, London says, are often least willing 
to pay for it today. Conversely, established brick-and-mortar corporations for whom 
brand equity and service quality are of paramount importance should be most will- 
ingto spend on asolution that prevents significant performance degradation on 
their Websites. Unfortunately, those companies tend not to be early adopters. 


London sees M azu and its competitors not as security companies, but as mecha- 


nisms to enhance Internet reliability and availability. This is partly a matter of busi- 
ness reality. In most corporations, executives in charge of security have limited 
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power compared to those responsible for more “positive” or revenue- generating 
business functions. “[ Denial of service] can’t be solved by the security people; it has 
to besolved by the operations people,” says London. 


“In the end, we're building a special-purpose router,” London says. He predicts there 
will beroom for only alimited number of data-networking boxes, and that as con- 
solidation occurs technology such as M azu’s will migrate to software deployed on 
platforms controlled by vendors such as Cisco and Nortel. Though M azu offers an 
appliance solution today, it has designed the underlying software to be portable and 
to run on general-purpose hardware. 


Security Disappears into Business 


Ultimately, security must no longer be viewed as an esoteric set of technology solu- 
tionsto equally esoteric - but frightening - technology threats. M any of the prob- 
lems we think of today as security issues can be reconceived in terms of other 
business concerns. Denial of service attacks, for example (see pace 12), are really part 
of the broader category of network reliability and availability. Managed services (see 
pace 5) turn security into a form of risk management. TrustWorks' distributed secu- 
rity framework ties security to business rules and policies using agents that are auto- 
matically updated when things change. 


Thisis part of alarger shift, explains TrustWorks founder Galitsky: 
“Today network infrastructure is becoming a critical part of busi- 


COMING SOON 


ness infrastructure, so security as a part of network infrastructure 
needs to be linked into business infrastructure too.” As Wal-M art, 
Dell, Cisco and others have amply demonstrated, better business 
infrastructure through leading-edge information technology is 
more than a way to cut costs and streamline processes; it’s a funda- 
mental source of competitive advantage. A company with good IT 
infrastructure can use that infrastructure to support and achieve 
high-level strategic decisions, rather than make those decisions 


e The new network. 


¢ Triumph of the Weblogs. 

¢ Mapping the Net. 

¢ Beyond knowledge 
management. 


¢ Broadband service platforms. 


within the limitations of the technology. 


The issue then becomes one of corporate organizational dynamics. 


To put it bluntly, security experts almost never have real power, 


because all they do isspend money and restrict what others can do. 
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know of any good examples of 
the categories listed above, 


please let us know.) 
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Resources & Contact Information 


Farnam Jahanian, Arbor Networks, 1 (734) 327-0000; fax, 1 (734) 327-9048; farnam@arbor.net 

Ted Julian, Arbor Networks, 1 (781) 684-0900; fax, 1 (781) 768-4780; ted@arbor.net 

Joe Devich, Asta Networks, 1 (206) 264-2444; fax, 1 (206) 264-1888; joe@astanetworks.com 

Bruce Schneier, Counterpane Internet Security, 1 (408) 556-0322; fax, 1(408) 556-0889; 
schneier@counterpane.com 

Bob Carberry, CyberSafe, 1 (425) 391-6000; bob.carberry@cybersafe.com 

Maclen Marvit, Disappearing Inc., 1 (415) 904-3300; fax, 1 (415) 904-3350; maclen.marvit@disappearing.com 

Phil London, Mazu Networks, 1 (617) 354-9292; fax, 1 (617) 354-9272; phil@mazunetworks.com 

Peggy Weigle, Sanctum, 1 (408) 855-9500; fax, 1(408) 855-9521; pweigle@sanctuminc.com 

Alexander Galitsky, TrustWorks, 31 (20) 312-7312; fax, 31 (20) 609-6773; alexander.galitsky@trustworks.com 


For further reading: 
Bruce Schneier, Secrets and Lies: Digital Security in a Networked World (John Wiley & Sons 2000), 
http://www.counterpane.com/sandl.html 


Crypto-gram (monthly online security e-zine), http://www.counterpane.com/crypto-gram.html 


Even moreimportant, most security experts are technologists at heart rather than 
businesspeople. They come from the worlds of mathematics, spooks and hackers. 
The distributed, business-relevant security of the future draws from different disci- 
plines. Schneier of Counterpane draws the contrast: “You can’t avoid the threat; you 
have to manage the risk. Everyone in business understands that. People in computer 
science don't get it.” (Where are the psychologists when we need them?) 


TheInternet is only going to become more complex, and that means security risks 
will continue to become more serious. Businesses will continue to connect their 
internal systems to the Internet and to link themselves together through shifting vir- 
tual networks, creating new and constantly changing security vulnerabilities. The 
companies that understand both the business and technical sides of security will 
turn these problems into opportunities. MR 1.0 
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Calendar of High-Tech Events 


2001 


FEBRUARY 21-24 


MARCH 5-7 


MARCH 6-9 


MARCH 10-14 


MARCH 12-16 


MARCH 19-22 


MARCH 20-23 


MARCH 22-28 


MARCH 25-28 
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TED 11 - Monterey, CA. Richard Saul Wurman’s magical mystery tour, now 
supported by the publishers of Business 2.0, rolls on. For moreinfo, call 1 
(401) 848-2299; fax, 1 (401) 848-2599; email, wurman@ted.com; 
www.ted.com. & 


ROAM - Tucson, AZ. Roam if you want to, roam around the wireless world. 
Thelndustry Standard’s first-ever wireless event. For moreinformation, call 
1 (415) 682-2150; fax, 1 (415) 681-6284; email roam@thestandard.com; 
thestandard.com/events/wi01roam/register. 


CFP2001- Cambridge MA. The 11th annual event for exploring the future 
of privacy and freedom in the online world. For moreinfo, email 
info@cfp2001.org; www.cfp2001.org. 


ACM1: BEYOND CYBERSPACE - San Jose, CA. Explore how computingis 
affecting the state of the art in such diverse fields as biology, oceanography, 
astrophysics, life sciences, social sciences, and education, and how these 
changes will increase our understanding of the world we inhabit. Speakers 
include Bob M etcalfe, Steve Ballmer, Rodney Brooks and Vint Cerf. For more 
info, call 1 (212) 626-0500; fax, 1 (212) 944-1318; email acmlinfo@acm.org; 
www.acm.org/acm1. 


INTERNET WORLD SPRING 2001 - LosAngeles, CA. Meg Whitman, Barry 
Diller, Thomas Siebel and J erry Greenberg keynote. For more info, call 1 (800) 
632-5537; email registration@iw.com; www.pentonevents.com/spring2001. 


INTERNET ENTERTAINMENT EXPO - Las Vegas, NV. It'snotall fun and 
games anymore. For more info, contact Natalie Vercauteren at 1 (508) 424- 
4826; email natalie_vercauteren@idg.com; www.ieexpo2001.com. 


SPRING VOICE ON THE NET - Phoenix, AZ. Let your voice be heard at Jeff 
Pulver's spring offering. For more info, call 1 (631) 545-0800; email 
von2001@pulver.com; www.pulver.com. 


CEBIT - Hannover, Germany. The world's largest trade fair for office, infor- 
mation and telecommunications technology. For moreinformation, call 1 
(609) 987-1202; fax, 1 (609) 987-0092; www.hfusa.com/cebit.htm. 


PC FORUM - Scottsdale, AZ. Define yourself! Featuring Stratton Sclavos, 
Ellen Hancock, Rob Glaser and more. Timeis running out, so visit 
www.pcforum2001.com right away! For moreinformation contact Daphne 
Kis at 1 (212) 924-8800; daphne@edventurecom. Gf 
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MARCH 29-31 


APRIL 3-4 


APRIL 3-4 


APRIL 21-22 


APRIL 29-26 


MAY 1-5 


MAY 6-11 


MAY 16-19 


MAY 21-24 


MAY 22-25 


SCHOOLTECH EXPO - New York, NY. Part of CM P M edia's Educational 
Technology Network, this conference will supply the critical information 
needed to keep pace with the changes in education technology. Contact Shelly 
Nielsen at 1 (415) 905-2413; fax, 1 (415) 908-6604; email snielsen@cmp.com; 
www.schooltechexpo.com. 


GROUND ZERO ASIA - Singapore. Stemming from its US series, this event 
will discuss successful strategies for the future of B2B ecommerce in Asia. For 
more info, call 1 (510) 647 3799; fax, 1 (510) 647 3553; email 
chrism@strategicintelligence.com; www.qgzasia.com. 


STRATEGIES FOR SUCCESS IN THE RUSSIAN INTERNET INDUSTRY - 
St. Petersburg, Russia. A practical analysis of the commercial opportunities 
evolving in the Russian Internet sector. For moreinfo, call 44 (0) 20 7490 3774; 
fax, 44 (0) 20 7505 0079; email telecoms@asi-conferences.com; 
www.asi-conferences.com. 


NEW YORK MUSIC AND INTERNET EXPO - New York, NY. From Napster 
to Freenet, we've only just begun. Ray Kurzweil and Carole Bayer Sager 
keynote. For moreinformation, call 1 (212) 965-0013; fax, 1 (212) 965-0023; 
email info@newyorkexpo.com; www.newyorkexpo.com. 


THE WOMEN OF SILICON ALLEY SUMMIT II - New York, NY. I am 
woman, hear me roar, in numbers too big to ignore. Call, 1 (212) 966-4242; 
fax, 1 (212) 966-3558; email margaret@alleycatnews.com; 
www.alleycatnews.com/guidelines_wosas.html. 


TENTH INTERNATIONAL WORLD WIDE WEB CONFERENCE - Hong 
Kong. Discuss the latest developments in web technology and the issues and 
challenges facing the web community as it movesinto the 21st century. For 
more info, email info@www10.org.hk; www.www10.org. 


NETWORLD + INTEROP - Las Vegas, N V. Network with the networking 
community. For info, call 1 (650) 578-6900; fax, (650) 525-0224; 
www.key3media.com/interop/lasvegas2001. 


CIO FORUM FINANCIAL SERVICES - New York, NY. Strategic IT forum 
for the US financial services industry. Presented by Richmond Events. Esther 
Dyson keynotes. Contact Conference M anager Boukje van den Bosch-Smits 
at 44 (20) 8487-2248 or 44 (771)055-0666; email, 
bvandenbosch@richmondevents.com; www.cioforum.com. EB 


GIGAWORLD IT FORUM - LasVegas, NV. Giga Information Group's flagship 
event. Will address the technology and management challenges represented by 
the Internet. To register, call 1 (888) 577-4442; email, 
conferences@gigaweb.com; www.gigaweb.com. 


VORTEX 2001 - Dana Point, CA. Bob Metcalfe and friends pan for gold at 
the convergence of the Internet, telephone and television worlds. Call 1 (800) 
633-4312; fax, 1 (650) 577-7840; email, registrar @idgexecforums.com; 
www.idgexecforums.com/vortex2001/about_2001.html. 
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JUNE 3-5 


JUNE 11-13 


JUNE 12-14 


JUNE 19-21 


JUNE 20-22 


SOHO SUMMIT - Colorado Springs, CO. An event designed for thosein the 
small office/home office market of companies with 20 employees or less. To 
register, call 1 (415) 848-2100; fax, 1 (415) 848-2125; email, office@sohosum- 
mit.com; www.sohosummit.com. 


SECURING THE INFOCOSM: SECURITY, PRIVACY AND RISK 
MANAGEMENT AFTER E-BUSINESS - Orlando, FL. It's a brave new world. 
For info, call 1 (203) 964-0096; fax, 1 (203) 324-7901; email, 
info@gartner.com; www.gartner.com. 


EBUSINESS CONFERENCE & EXPO - San Jose, CA. There’sno business like 
e-business! For more info, contact Ivan Resnikoff at 1 (415) 538-8946 or via 
email at iresniko@cmp.com; www.kingbird.com/ebusiness. 


INFOWORLD CTO FORUM - San Francisco, CA. Speakers include Dan 
Bricklin, Steve Jurvetson, Josh Levine, John McKinley and Ray Ozzie. For info, 
email ctoregi ster @infoworld.com; ctoforum.infoworld.com. 


STREAMING MEDIA WEST - Long Beach, CA. Experiencethe reality and 
boundless horizons of streaming technologies, content and business models. 
To register, 1 (888) 301-8890; email, register@streamingmedia.com; 
www.streamingmedia.com/west. 


G Events Esther plans to attend. 
[A Events Kevin plans to attend. 


Lack of a symbol is no indication of lack of merit. The full, current calendar is available on our Website, www.edventure.com. 
Please contact Kara Holmstrom (kara@edventure.com) to let us know about other events we should include. 
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Sign up for PC Forum! This year's theme is “Define Yourself.” Registration forms and 
additional information are available at http://www.pcforum2001.com. 


Join our email list. our free email newsletter, The Conversation Continues, offers commentary, 
industry analysis and pointers to interesting Websites on a regular basis. To sign up, please visit 
http://release1.edventure.com/conversation, or send email to conversation@edventure.com and you'll 
automatically be added to the list. 


Do we have your email address? Release 1.0 subscribers can now download each 


month's issue electronically. If you have not already done so, please send your email address to 


natasha@edventure.com or fax it to 1 (212) 924-0240 in order to enable online access. 


Release 1.0 Subscription Form 


Complete this form and join the other industry executives who regularly rely on Release 1.0 to stay ahead of the headlines. Or if 


you wish, you can also subscribe online at www.release1-O.com. 


Your annual Release 1.0 subscription costs $795 per year ($850 outside the US, Canada and Mexico), and includes both the print 
and electronic versions of 11 monthly issues; 25% off the cover price when you order from our online archives; a Release 1.0 


binder; the bound transcript of this year's PC Forum (a $300 value) and an invitation to next year’s PC Forum. 
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Payment must be included with this form. Your satisfaction is guaranteed or your money back. 
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